On Feb 16, 2011, at 10:21 AM, Brandon Harris wrote:
Lots of people don't like to have their sessions stolen via Firesheep. That's one reason to do "all https all the time".
I think y'all should chill and take the tone down from an argument to more of discussion where points of view back up their points with information.
Brandon, though perhaps a bit hostile in tone, is backed up by what many consider the best practice after Firesheep. See https://www.eff.org/pages/how-deploy-https-correctly for background and recommendations.
Now, in practice implementing this has challenges. I'm the lead developer on Kete, an open source Ruby on Rails app (http://kete.net.nz), and recently wanted to make the switch to fully HTTPS for a site and the Kete app when used with HTTPS.
I encountered the headache of mixed content warnings.
I found that using // for links I could control mostly did the trick, but external links were problematic. Specifically Google Maps API will answer HTTPS, but delivers Javascript with internal links that triggers the mixed content warning. The only workaround appeared to be pay for premier service from Google.
The organization running the site doesn't have the budget for this, is a non-profit and is using the Maps API non-commercially, and wants to continue to use the API. So...
On 2/15/11 1:09 PM, jidanni@jidanni.org wrote:
Is that how Facebook™ or Google™ operate, sending every single component via HTTPS?
No. Only the vital personal settings, password stuff is done that way.
I ended up falling back to current "norm" as jidanni outlines. Not happy about it, but my client and my project make use of Maps extensively and it would have been a drag.
All this boils down to, yes full HTTPS is best practice, but if you make use of external APIs or services, it may be hard to achieve.
Cheers, Walter
----------------------------------------------------------------- Walter McGinnis Kete Project Lead (http://kete.net.nz) Katipo Communications, Ltd. (http://katipo.co.nz) http://twitter.com/wtem walter@katipo.co.nz